EDR: How can we check EDR logs for signs of Log4J Exploitation Attempts to the EDR Server?
EDR Server: 7.5.2 and lower
How can we check attempts to use the Log4J exploit on our EDR servers?
Our Product Security Team mentions that SOLR is not publicly exposed by default and that input is escaped before making it to SOLR. In the interest of our customer base we decided to patch and remediate as soon as we could to avoid taking any chances.
Below is an example in the /var/log/cb/nginx/access.log log file of an attempt to exploit:
Checking for this can be done on the EDR Server terminal via:
grep -rni /var/log/cb/nginx/ -e 'jndi'
Please make note, this command is an attempt and not an indicator of compromise. The attempt is blocked by Nginx and is not allowed to go further into the system